{"id":81239,"date":"2026-05-21T10:04:33","date_gmt":"2026-05-21T03:04:33","guid":{"rendered":"https:\/\/hbbgroup.net\/shai-hulud-what-to-know-about-the-malware-spreading-through-software-pipelines\/"},"modified":"2026-05-21T10:04:33","modified_gmt":"2026-05-21T03:04:33","slug":"shai-hulud-what-to-know-about-the-malware-spreading-through-software-pipelines","status":"publish","type":"post","link":"https:\/\/hbbgroup.net\/zh\/shai-hulud-what-to-know-about-the-malware-spreading-through-software-pipelines\/","title":{"rendered":"Shai-Hulud: What to Know About the Malware Spreading Through Software Pipelines"},"content":{"rendered":"<div>\n<div>\n<h4 color=\"#333\">In brief<\/h4>\n<ul>\n<li>Shai-Hulud malware has been linked to roughly 300 npm and PyPI package entries.<\/li>\n<li>OpenAI, Microsoft, and Mistral AI disclosed recent Shai-Hulud-related incidents.<\/li>\n<li>The malware abused GitHub Actions and trusted software publishing workflows.<\/li>\n<\/ul>\n<\/div>\n<p>A malware campaign known as \u201cShai-Hulud\u201d is spreading through the software pipelines developers use to build and distribute code, raising new concerns about how much of the modern internet now depends on automated systems operating with little direct human oversight.<\/p>\n<p>Researchers linked the Shai-Hulud malware campaign to roughly <a href=\"https:\/\/www.ox.security\/blog\/the-antv-ecosystem-was-compromised-with-shai-hulud-malware-300-packages-affected\/\" target=\"_blank\" rel=\"noopener nofollow external\">320 package<\/a> entries across Node Package Manager (NPM) and PyPI, two of the largest online repositories developers use to download and share JavaScript and Python software packages. The affected packages collectively account for more than 518 million monthly downloads.<\/p>\n<p>\u201cShai-Hulud is significant because it exposes a problem we cannot fully patch away: modern software is built by running other people\u2019s code,\u201d Jeff Williams, CTO of California-based security firm <a href=\"https:\/\/www.contrastsecurity.com\/\" target=\"_blank\" rel=\"noopener nofollow external\">Contrast Security<\/a>, told <i>Decrypt<\/i>. \u201cDevelopers do not merely \u2018download\u2019 libraries. They install them, build with them, test with them, deploy with them, and eventually execute them. And if you run a malicious library, it can do almost anything you can do.\u201d<\/p>\n<p>Advances in artificial intelligence complicate the threat, Williams said, comparing Shai-Hulud to making a computer a double-agent.<\/p>\n<p>\u201cThe scary part is the leverage. If an attacker compromises one obscure package, they do not just get that package,\u201d Williams said. \u201cThey get a path into every downstream project that trusts it. Then they can steal more tokens, publish more poisoned packages, and repeat the cycle. The software supply chain is not a chain anymore\u2014it\u2019s a propagation network,\u201d he added.<\/p>\n<p>Earlier this month, Microsoft Threat Intelligence <a href=\"https:\/\/decrypt.co\/367683\/hackers-insert-malware-mistral-ai\" target=\"_blank\" rel=\"noopener\">disclosed<\/a> that attackers inserted malicious code into a Mistral AI software package distributed through PyPI. Microsoft said the malware downloaded an additional file designed to resemble Hugging Face\u2019s widely used Transformers library so it would blend into machine-learning development environments.<\/p>\n<p>Mistral later said an affected developer device was involved in the incident, but added that it had \u201cno indication that Mistral infrastructure was compromised.\u201d<\/p>\n<p>Two days later, OpenAI <a href=\"https:\/\/decrypt.co\/367883\/openai-confirms-security-breach-ai-malware-campaign\" target=\"_blank\" rel=\"noopener\">confirmed<\/a> malware tied to the same campaign infected two employee devices and gave attackers access to a limited number of internal code repositories. The company said it found no evidence that customer data, production systems, or intellectual property were compromised.<\/p>\n<h2 color=\"#333\"><strong>Shai-Hulud cometh<\/strong><\/h2>\n<p>Named after the giant sandworms in Frank Herbert\u2019s \u201cDune,\u201d researchers <a href=\"https:\/\/www.reversinglabs.com\/blog\/shai-hulud-worm-npm\" target=\"_blank\" rel=\"noopener nofollow external\">traced<\/a> earlier versions of the malware back to September 2025 and cybercriminals known as TeamPCP. However, the campaign drew wider attention after a major May 11 attack targeting <a href=\"https:\/\/securityboulevard.com\/2026\/05\/the-tanstack-breach-and-the-fragility-of-trusted-code\/\" target=\"_blank\" rel=\"noopener nofollow external\">TanStack<\/a>, a widely used open-source JavaScript framework used in web and cloud applications.<\/p>\n<p>Shai-Hulud is part of a growing type of supply-chain attack in which hackers compromise trusted software tools or services that other companies already use. Instead of targeting victims directly, the attackers use those trusted systems to spread malicious code or gain access to developer environments.<\/p>\n<p>Researchers say the attacks poison shared build caches so future software releases would quietly pull in the malicious code. To a developer downloading the packages, everything looks normal because the software came from trusted sources, carried valid signatures, and passed the usual security checks. That\u2019s what made the attack so unsettling.<\/p>\n<p>On Sunday, cybersecurity firm OX Security <a href=\"https:\/\/www.ox.security\/blog\/new-actors-deploy-shai-hulud-clones-teampcp-copycats-are-here\/\" target=\"_blank\" rel=\"noopener nofollow external\">reported<\/a> that new malicious packages mimicking the original malware were already stealing cloud and <a href=\"https:\/\/decrypt.co\/338516\/crypto-users-warned-stop-transacting-massive-exploit-threatens-apps-wallets\" target=\"_blank\" rel=\"noopener\">crypto wallet<\/a> credentials, SSH keys, and environment variables. At the same time, some variants attempted to turn infected machines into DDoS botnets.<\/p>\n<p>\u201cOne incriminating evidence that this is a different actor from TeamPCP is that the Shai-Hulud malware code is an almost exact copy of the leaked source code, with no obfuscation techniques, which make the final version visually different from the original,\u201d OX Security wrote. \u201cIn our breakdown, we show the side by side comparison of the chalk-template Shai-Hulud version with the original source code leak, showing that they are the same.\u201d<\/p>\n<p>News around Shai-Hulud comes as modern software developers increasingly depend on automated platforms like GitHub Actions. At the same time, supply-chain attacks targeting open-source infrastructure have grown more common as attackers increasingly focus on developer tooling and automated publishing systems, rather than end-user systems directly.<\/p>\n<p>\u201c[Shai-Hulud] is a reminder that [systems, applications, and products] attack surface now extends well beyond traditional application layers and into the open-source packages that power modern development and deployment workflows,\u201d Joris Van De Vis, Director Security Research at Netherlands-based cybersecurity firm <a href=\"https:\/\/securitybridge.com\/\" target=\"_blank\" rel=\"noopener nofollow external\">SecurityBridge<\/a>, told <i>Decrypt.<\/i><\/p>\n<p>On Tuesday, GitHub said it was <u><span><a href=\"https:\/\/decrypt.co\/368476\/github-confirms-3800-internal-repos-stolen-poisoned-vs-code-extension\" target=\"_blank\" rel=\"noopener noreferrer\">investigating<\/a><\/span><\/u> unauthorized access to its internal repositories after TeamPCP claimed responsibility for stealing roughly 4,000 private repos and offered the data for sale on a cybercrime forum for at least $50,000.<\/p>\n<p>According to Van De Vis, Shai-Hulud also shows how attacks targeting trusted software automation can quickly spread from developer tools into enterprise systems that companies rely on for critical operations.<\/p>\n<p>&#8220;When trusted npm dependencies can be weaponized to steal credentials from [Cloud Application Programming] and [Multi-Target Application] environments, the risk is no longer just a developer laptop issue, it becomes a direct path toward productive SAP systems, which is why organizations need tighter dependency controls, exact version pinning, and stronger publishing safeguards,&#8221; Van De Vis said.<\/p>\n<div>\n<h3>Daily Debrief Newsletter<\/h3>\n<p>Start every day with the top news stories right now, plus original features, a podcast, videos and more.<\/p>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In brief Shai-Hulud malware has been linked to roughly 300 npm and PyPI package entries. OpenAI, Microsoft, and Mistral AI [&hellip;]<\/p>","protected":false},"author":5,"featured_media":81240,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[220],"tags":[],"class_list":["post-81239","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tien-dien-tu"],"acf":[],"_links":{"self":[{"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/posts\/81239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/comments?post=81239"}],"version-history":[{"count":0,"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/posts\/81239\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/media\/81240"}],"wp:attachment":[{"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/media?parent=81239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/categories?post=81239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hbbgroup.net\/zh\/wp-json\/wp\/v2\/tags?post=81239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}